Lesson 05 · OpenClaw, Safely Pro ~10 min Channels, done right

Connect your channels: WhatsApp, Telegram, Discord.

The feature that made OpenClaw famous — your agent as a contact in your own messenger. It's also where two of the nastiest real-world exploits happened. So we do it the way professionals connect anything: one channel, least privilege, and a hard rule about group chats.

The mental model

Your agent's inbox is a terminal.

Anyone who can message your agent is effectively typing into a terminal on your agent's machine — and it acts with your permissions. Every channel is a new door; doors are easier to watch when there's one of them. So: connect exactly one channel today, and put a lock on it.

Do it · pick ONE channel

Three doors, three different locks.

Tap each to see the safe way to wire it.

Do it · the group-chat trap, live

Set the lock, then let an attacker try.

Two settings decide whether a stranger can steer your agent. Flip them, then play the attack — a random person sends a malicious instruction and you watch what happens.

📱 OpenClaw on Telegram · attack sandbox
Allowlist — who may command it
Group chats — does it sit in them?
YouWhat's on my calendar tomorrow?
🦞 Your agentTwo meetings — 10am standup, 2pm with Dana. Want the prep notes?
The other trap

The shared-context leak.

Researchers found real deployments where every direct message fed one shared conversation context. Think through what that means:

A teammate pastes an API key into the agent chat, and the agent runs one shared context across all DMs. Who can later read that key?
Anyone who DMs it. Shared context means one person's pasted secret becomes visible to the next person who chats. Two fixes: ensure per-user (or per-chat) session isolation, and never paste secrets into an agent chat at all — a chat log is exactly where credentials go to be discovered.
Connect it · ~10 minutes

The order, with the lock built in.

1Stop the service (kill-switch practice!), then run openclaw onboard again or the channels config and pick your one channel.
2Follow the wizard: a bot token for Telegram/Discord, a QR link for WhatsApp — with a dedicated number.
3Set the allowlist so the agent answers only you.
4Restart, message it from your phone: "introduce yourself." Savor the reply — this is the moment OpenClaw sells itself.
5Test the boundary: have a family member message it. Correct result: silence.
Allowlists aren't paranoia

Only-my-user-ID, only-these-two-numbers — these are the seatbelt, not paranoia. Anyone you let through is effectively typing into a terminal on the agent's machine. And never wire file or shell access behind an agent that any stranger can reach.

This week's discipline

One channel, allowlisted to you, no groups, no secrets in chat. Live with it for a week before even thinking about a second channel. Each door you add after this should answer a real need — not the collector's itch.

What you can do now

  • Choose the right first channel — a Telegram bot for clean identity separation, WhatsApp only with a dedicated number
  • Configure an allowlist so only you can command your agent
  • Explain the shared-context leak and verify per-user session isolation
  • State the group-chat rule and why an agent in a group obeys the whole group
  • Treat the agent's inbox as an attack surface — and never paste secrets into it
Pro
Up next in OpenClaw, Safely

Lesson 06 · Your first real workflows: briefing, triage, watchers

The starter automations that turn a cool demo into a working assistant — each one designed to stay inside the safety rails you've built. Start lesson 06 →

🎓
AI Coach
Ask anything about this lesson
Hey! I'm your AI Coach for this lesson. Ask me anything about connecting channels safely — Telegram vs WhatsApp, allowlists, the group-chat and shared-context traps. What's on your mind?
Free lesson coaching is limited to 3 questions. Upgrade to Pro for unlimited coaching on every lesson.